Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1542
Views
0
Helpful
8
Replies

URL filtering for Remote access VPN users

mchockalingam
Level 1
Level 1

‎03-31-2009 08:08 AM - last edited on ‎02-21-2020 11:48 PM by Community Manager

Hi All,

I have an ASA 5520 that is configured for remote access VPN and clients connect using IPSec or anyconnect SSL.

Most of the clients use non-split tunneling policy and the web traffic goes through the ASA. Our URL filtering server is on the inside network. I tried configuring URL filtering but did not work since the vpn clients get terminated on the outside (lower security interface) and the web traffic flows from outside to inside (higher security) and URL filtering will work only when the http traffic goes from higher security to lower security.

How can I enable URL filtering for remote access users?

Any ideas?

Meena

Labels:
0 Helpful
8 Replies 8

Ivan Martinon
Level 7
Level 7

‎03-31-2009 10:43 AM

Hi Meena,

I don't think url filter is restricted for inside users to outside, can you check if the u-turn, hairpin is enable and working fine? if so, can you please post your url config here? are you including the vpn clients pool for url inspection? Can you post your config?

0 Helpful

mchockalingam
Level 1
Level 1
In response to Ivan Martinon

‎03-31-2009 11:08 AM

Based on this link,

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008088517b.shtml

I see the following text under the Bckground Information.

You can filter connection requests that originate from a more secure network to a less secure network.

The tunnel default gateway is our perimeter firewall which is on the inside subnet of the ASA. I have not tried hairpinning the traffic yet.

Meena

0 Helpful

Ivan Martinon
Level 7
Level 7
In response to mchockalingam

‎03-31-2009 11:18 AM

Mhhh... is this topology sending back the traffic to the ASA after it is forwarded to the tunnel default gateway or is it sending it to another GW?

0 Helpful

mchockalingam
Level 1
Level 1
In response to Ivan Martinon

‎03-31-2009 11:32 AM

The topology is that the ASA is sending it to another deafult gateway.

The ASA's outside interface is facing the internet and the inside is connected to the DMZ interface of our perimeter firewall.

The tunnel default gateway is our perimeter firewall. So, the web traffic comes from outside and goes to inside and goes to the DMZ interface of our perimeter firewall and out through the outside interface of the perimeter firewall.

I should be able to hairpin the web traffic on the outside of the ASA. DO you think this will force the URL filtering?

Meena

0 Helpful

Ivan Martinon
Level 7
Level 7
In response to mchockalingam

‎03-31-2009 11:35 AM

Well since this traffic is at the end sent to this permiter firewall you might want to think about filtering url in that one (unless you want to modify the whole traffic flow) I think that hairpinning will allow you to do url filter on the asa itself since it somehow covers the "outbound" url filter rule.

0 Helpful

mchockalingam
Level 1
Level 1
In response to Ivan Martinon

‎03-31-2009 11:41 AM

I do not want to modify the whole traffic flow. I looked into doing the URL filtering on the perimeter firewall but it did not work out due to some licensing issues or some other reasons that are beyond me.

I still want to be able to use the perimeter firewall as the tunnel gateway but for port 80 non-internal traffic, I just want to hair-pin the traffic. I think I should be able to do this with some ACL and route statements.

Meena

0 Helpful

Ivan Martinon
Level 7
Level 7
In response to mchockalingam

‎03-31-2009 11:50 AM

Unfortunately, if you define a tunnel default gateway, all traffic including http traffic will be sent to that firewall, you would need to remove the tunnel default gateway to achieve the hairpin feature.

0 Helpful

mchockalingam
Level 1
Level 1
In response to Ivan Martinon

‎03-31-2009 11:57 AM

I kinf of realized that after I posted my reply last time. As soon as the traffic gets decrpted it gets routed to the perimeter firewall and I cannot apply any ACL.

I wish there is an easier way.

Meena

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents